Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Bill Calls for Study of Cybersecurity Standards for Cars

A bipartisan bill was introduced this week in the House calling for the NHTSA to conduct a study that would determine appropriate cybersecurity standards for motor vehicles.

A House bill was introduced Tuesday that could accelerate the federal government’s involvement in regulating automobile cybersecurity.

The Security and Privacy in Your Car Study Act of 2017, authored by Reps. Ted Lieu (D-Calif.) and Joe Wilson (R-SC), calls on the National Highway Traffic Safety Administration to lead a study of necessary security standards that could be included in a law governing cars built in the U.S. or imported for sale.

A similar SPY Car Act of 2015 introduced by Sen. Edward Markey (D-MA) was much more prescriptive of the NHTSA in securing electronic controls and driving data collected by vehicle systems.

This week’s bill calls for the NHTSA to study the issue alongside the Federal Trade Commission, NIST and other stakeholders. They have a year to produce a preliminary report, and another six months beyond that to draft a final report that includes dates for adoption and recommendations that would be included in legislation.

“Every American has a right to drive cars that are safe and secure. Cars don’t necessarily come to mind when most of us think about cybersecurity. But the Internet of Things (IoT) is bringing technology and connectivity into every part of our lives—including our motor vehicles,” Lieu said. “Without good cyber hygiene, a hacker could easily turn a car into a weapon.”

Yoni Heilbronn, an executive with Argus Cyber Security, a company specializing in automotive cybersecurity, said he had mixed feelings about the bipartisan bill. He acknowledged that while the proposal could bring some positives to the conversation, he wonders whether legislators believe the automotive industry is moving too slowly toward progress. He recalled a panel he attended last year with Sen. Gary Peters, a Michigan Democrat who urged industry to be more responsive and proactive.

“I heard him pleading with the industry to do things on its own, and not wait for the U.S. government to regulate,” Heilbronn said. “If regulation comes, it could be even more strict than what industry would do to itself.”

The current bill asks NHTSA to identify a number of critical areas that could be exploited by hackers; researchers Charlie Miller and Chris Valasek, as well as researchers from the University of California at San Diego, have already demonstrated a number of high-profile hacks exploiting vulnerabilities in electronic communications systems in a number of vehicles.

Specifically, the SPY Car Study Act of 2017 asks officials to examine how to best isolate critical software from other code running inside a motor vehicle, and identify measures to detect vulnerabilities and code anomalies associated with malicious behavior. They’re also tasked with identifying how to best implement on-demand risk assessments and continuous penetration-testing of critical systems. Finally, they are asked to determine best practices to secure driving data as it’s collected and stored on board, in transit, and stored off-board.

Heilbronn said some in industry are more vigilant about cybersecurity than others; Jeep, for example, quickly patched vulnerabilities in its UConnect entertainment systems exploited by Miller and Valasek, and instituted an unprecedented vehicle recall.

Last March, the FBI and NHTSA teamed up on a formal warning to the auto industry about vulnerabilities that leave cars exposed to internet-based attacks. The FBI warned that vulnerabilities in features such as UConnect and aftermarket devices pose an “unreasonable risk to safety.”

“I’ve never seen such a statement before,” Heilbronn said. “It’s unheard of. It also gives you a good idea of the way of thinking inside the U.S. government, that these risks need to be addressed. If there is regulation some day, there will be enforcement. The question is, how long does industry wait before it does something.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.